News
Local

Exposing security flaw forced tax agency to fix it, experts argue

Roberta Solis-Oba, father of Stephen Arthuro Solis-Reyes who has been charged in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website, arrives at the family home in London, Ontario April 16, 2014. REUTERS/Geoff Robins

More Coverage

Whoever used the infamous Heartbleed bug to siphon social insurance numbers (SINs) from Canada’s tax collection agency did Ottawa and Canadian taxpayers a favour, hackers say.

A London computer science student was charged this week by the Mounties with exploiting the software security flaw in an attack on the Canada Revenue Agency’s (CRA’s) website, after the agency said data on about 900 people was compromised.

It was the world’s first criminal charges related to the Heartbleed bug, which essentially leaks encrypted data to a hacker.

But the lawyer for Stephen Arthuro Solis-Reyes, 19, says Canadians should be more concerned anyone could even access information that’s supposed to be behind a virtual iron wall.

“The issue in this case isn’t the accused. The issue is — if the allegation is true — how could any teenager get access to this sensitive information?” Faisal Joseph said Friday. “The security measures people think are there are not there.”

The son of a computer science professor at Western University, where he attends school, Solis-Reyes is a former child whiz-kid who began his university exams this week with a 96% average and has published computer software and his own encryption program.

He also has a history of exploiting security breaches, says Joseph, who noted Solis-Reyes once cracked his school board system to show it wasn’t safe.

Such is the culture of hacking, say other London techies, who insist hacking can be done for good or bad.

In the CRA case, they say, the outcome was good because the agency — it receives millions of electronically filed income tax returns, which contain SIN numbers and other personal data — finally patched a security flaw.